OA2 FW Program access rules

Discussion in 'other firewalls' started by innerpeace, Jun 5, 2007.

Thread Status:
Not open for further replies.
  1. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    I'm using OA2 and am liking it so far. It's been really stable. I was using Comodo before so I'm trying to adjust. In Comodos application monitor, It just contained the programs that I specifically started. In my OA2 in the Firewall button and In the 'Rules' - 'Program access' tab, two of the programs listed are Explorer.EXE and svchost.exe. Is it safe to remove these entries and would it make me safer? I didn't mind answering popups before when I was at a safe site that needed other things to run. When in doubt I always blocked anyways. I'd rather answer a pop-up as opposed to clean and re-install windows. If you could also, educate me as to why or why not the two services should need or be allowed to access the internet. I already understand that malware can fake svchost.

    Thanks, innerpeace
     
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,293
    Location:
    England
    To make sure that others who are wondering along the same lines as you are, just make sure that in options>firewall, 'automatically allow trusted programs to access the internet' is unticked.

    Then when one of those things you wondered about wants to use the internet it will ask you, and then you will get to know what it is for.
     
  3. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi,

    innerpeace, i already answered your question at OA forum.
    Please don't ask twice the same question.

    Thanks stapp for your answer.

    Regards,

    MaB
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi innerpeace,
    As mentioned by "stapp", you should check you firewall settings if you want popup for all programs that attemp access to the internet. I did post some info here on the settings of OA.

    Explorer.exe does not need internet access, this can be blocked without any problems (explorer will normally attempt internet access to microsoft when you make a "search" on your PC).

    Svchost. This will depend on your setup, and your own needs, as for example (for XP), svchost is required for DHCP (if needed on setup), also used for DNS lookups (if the DNS client is active), blocking svchost from these connections, can (in most setups) block your internet connections. There is also a need to allow svchost if you make auto updates for windows. There are other services (from svchost) that will attempt internet access, it depends on your own setup.
     
  5. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    I don't know about that Stem.
    Has never alerted me in the personal firewalls I have used. Unless this is something Vista specific, but I do doubt.
     
  6. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello Jarmo.

    I'm on XP, and I kept this rule from Jetico

    Untitled.jpg

    Haven't tried this on Vista, though...

    Cheers.
     
  7. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Good rule Seer or Nick, but my question went to Stem.
    My current puter from last april is a quite virgin XP, it does not ask from me that.
    Neither did my old XP home one.

    It might have happened sometimes that I could have been asked, as a prompt, but I could have also thought when denying that prompt that firewall was messed up. But I really dont remember been getting ever asked from explorer.exe wanting to get out. Not anyways if I search some file from my PC.

    So if you guys get asked, it must be some software you have installed on your computer?
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    What firewall do you have installed. I know some firewalls will allow this outbound by "Explorer" due to whitelists.

    I am currently running checks on CHX, so all outbound internet access on my current setup is checked by SSM, the popup given after starting a "search":-
    (this is currently on XP)

    Capture31-08-2006-11.44.1805-06-2007-20.44.06.jpg

    My current setup is just XP (pro) with CHX and SSM
     
  9. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Currently Comodo. With no baby settings it comes from, but with "very high" alert level. Causes me sometimes troubles when programs are updated and it sees them as invisible apps. Besides running all inside Sandboxie too.

    Comodo does get messed up sometimes and gives unnecessary prompts, but a reboot helps at times when applications have been updated, even if it is an update only to Firefox Noscript. I do wish Giorgio Maone did not update his extension so often, cause it is like a spam. Comodo always recognizes firefox as a invisible app starting itself after that extension update, duh :(

    I did a search for any *.mp3 files on my computer just to be sure. There was no popup for explorer.exe and it is only in as a parent for internet accessing applications. No explicit entry there for it all alone accessing internet.
    Neither did kerio 2.1.5 or Sygate as far as I remember. Cannot tell so much about Kerio 4 since I ran it only a few times and always I was dissapointed.

    I have not ran OA2 though or ZA never too.
     
    Last edited: Jun 5, 2007
  10. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hi Jarmo.

    No additional apps. Just this:

    (I deleted the rule and started "search" again)

    Comodo does have a search for trusted apps. Maybe that's the cause you're not getting any popups. Just a wild guess...

    Cheers
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    @Jarmo P,

    Base install XP pro sp2, Comodo with custom settings:-

    Capture31-08-2006-11.44.1805-06-2007-23.32.54.jpg
     
  12. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    No Seer, it is that baby setting I was just talking about.
    "Don't show alerts for Comodo certified applications".

    Don't you think if it was not such a famous for those stupid leaktests, it would not at least show when some system file like explorer.exe wants to connect out? Nevertheless one cannot be sure for his settings. I am not now 100% sure for mine but 90% at least.

    But think of my past experience with some other firewalls and also if microsoft really allowed explorer.exe out to internet while doing a local computer search?
    Could no one accept it?

    There is I know that thing when playing music with windows media player that it want to connect out though.
     
    Last edited: Jun 5, 2007
  13. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    For me Stem, it is svchost.exe connecting to those ms servers when I start my PC, but not explorer.exe.
    I leave it for now since this sure is a mystery for me. I am not an expert in this to say more and only I think it should not give you that prompt, it really should not do that.
    At least comodo fw seems to work on you, meaning it gives the same prompt. I am not at all a fan of comodo firewall. Just using it.
    Jarmo
     
    Last edited: Jun 5, 2007
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    @Jarmo P,
    Explorer will always attempt this outbound, it is only how the firewall reacts to this (based on it own whitelist/ user settings).
    I see this with all firewalls I look at. Any that do not prompt to this outbound are either silently blocking/allowing. (it is one of the simple checks I make)
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Again on base XP pro:-

    Capture31-08-2006-11.44.1806-06-2007-01.18.51.jpg
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    ... Capture31-08-2006-11.44.1806-06-2007-03.03.29.jpg

    As I have mentioned before, I look at all firewalls. I feel sad that I have had to install again these to show what I already know.
     
  17. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Just to complete the discussion if I may...

    Untitled.jpg

    BTW, I never had any problems with this firewall - the famous BSODs.
    This thread has now gone astray. I'm out.

    Cheers guys. :thumb:
     
  18. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Those are all good firewalls. I would have been surprised if any had not shown in your system what one of them does. You have shown that on your system explorer.exe tries to connect to internet. I accept that.

    What I just say still and I am very strong about it. Explorer.exe does not try to contact internet from my computer. It just does not do that.

    I have always disabled file and printer sharing in microsoft networks (this translated since my XP is in finnish language) in the network connection settings in windows control panel.
    And I have a cable modem connection (in case yours is some wireless one and this has something to do why yours does what it does).
    And I have also always disabled wireless zero configuration service (in case that is what makes explorer.exe "phone" home).
    Other than that, no windows services are tweaked and nothing like wwdc is applied either to indirectly have my XP install settings tweaked and in this way propably some functionality would have been lost.
    Best wishes,
    Jarmo
     
  19. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello again Jarmo P. :)

    I believe this explorer connection has nothing to do with services. I have very similar config as you (I'm on DSL and this PC is not on LAN), and I have disabled "very many" (15-20) default services. But, if you doubt in your firewall (or your setup), you can always download a packet sniffer like Wireshark (it's free). It will show you what connections are really established and does your firewall do it's job as it should. Give it a try, it's easy to use, and then preferably report back with the results. I am now very curious as to why doesn't your explorer.exe connect out on "search"... o_O

    Cheers. :)
     
  20. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    I know a little about firewalls Nick. That Sygate guide in my signature is made by me.
    I do have wireshark installed. I am just not now in the mood to play with it. This starts to bore me, but if I have the energy to do that I will report if any findings that differ from my firewall.
    And as told, no one of my firewalls in my old xp computer did and now Comodo in my new XP one neither does not alert me for explorer.exe connecting out.

    EDIT
    I put wireshark to capture and started explorer.exe by right clicking Start-button. Then I searched *.mp3 files from my documents and nothing happened. I closed the explorer window and still nothing.
     

    Attached Files:

    Last edited: Jun 6, 2007
  21. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thank your for your reply Stapp

    @MaB, I'm looking for input on the general acceptable reasons as to why the above 2 mentioned processes would need web access. This forum has a larger user base and I was wanting multiple input sources. I don't like to put all my eggs in 1 basket. Where I live, we have the freedom of speech. I belong to 2 other forums also, and if I don't get an acceptable answer that satisfies my needs, I will post in them also. That being said, I thank you for your replies so far at the OA forums. Without an updated helpfile, you all will probably stay busy for awhile. I'm totally changing my security programs and I need all the input, advice and experience I can get. It seems all of my wanted programs have come out of beta at once and I am playing catchup.:)

    I will block this and or remove it from my program access list.

    My DHCP service is set to automatic(I guess I need this for my router, I probably don't because I only have 1 computer). My DNS service is disabled because I use a hosts file. I manually update windows, but the service "Automatic updates' is set to automatic. I think I re-enabled it because at the time I was running Windows Defender and it needed it. I will disable again and see how that goes.

    Here are my current rules for svchost in OA2. Can you help me 'weed them out'? I have a very limited internet setup. I have many services disabled and I don't use an e-mail program. I do keep the help and support service to automatic. I think it needs internet access, but I still want a prompt for it.
    svchost UDP IN 68(bootpc)
    svchost UDP Out 53(domain), 67(bootps)
    svchost TCP Out 80(http), 443(https)

    Thanks all for your help and for your patience. innerpeace
     
  22. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    I never see any outbound attempts by explorer just so.
    Regardless of the firewall. Only when I try a search does it ask to connect.
    Mrk
     
  23. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    The only rule I have at the moment is svchost UDP Out 53.
    I have disabled the services: DHCP, DNS and Auto Updates.
    You can export your rules and play around, if everything goes wrong you can allways import them again.

    Gerard
     
  24. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Well, I am not happy if everyone elses puter connects to internet while searching files in the harddisk. Hmmm.

    My previous XP was from fujitsu-siemens and I had to download even servicepack 1 to it, but it was containing only a recovery CD for XP Home.
    Starting to feel there is something fishy with this new XP Pro too. CD looks ok and there is a sticker put in my PC that says it is an Windows XP Professional OEM Software. There is not much software piracy in Finland though.

    The only thing that comes to mind is that I have disabled also netbios over tcp/ip in network connections. Anyways nothing starting with E in my Comodo applications rules and as shown also in that wireshark screen capture, it does not cause any internet connection when I search files in my HD.
    Jarmo
     
  25. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello.

    I found this here:

    Not sure how valid is this though, but sounds familiar, doesn't it?

    This is related also (from here):

    Well, I'm not quite convinced. I'll look more into this when I find more time.

    Have a nice day ;)
     
Loading...
Similar Threads
  1. Overkill
    Replies:
    5
    Views:
    735
Thread Status:
Not open for further replies.